Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery allows Reflected XSS. This issue affects Global Gallery: from n/a through 8.8.0.
Published: 2025-04-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in the Global Gallery WordPress plugin allows attackers to inject malicious JavaScript into web pages that are rendered back to the user. This reflected XSS flaw corresponds to CWE‑79 and can be used to deface the site, steal credentials, or hijack user sessions by executing code in the victim’s browser.

Affected Systems

Affected systems are installations of the NotFound Global Gallery plugin for WordPress running any version from the earliest release through 8.8.0. The vulnerability is present in all of these versions, so any site that has not upgraded past 8.8.0 is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact with an attack requiring user interaction. The current EPSS score of less than 1% suggests that widespread exploitation has not been observed, and the vulnerability is not listed in the CISA KEV catalog. Despite the low EPSS, the potential for credential theft and defacement makes it a priority to address, ideally by deploying an official fix or removing the plugin until one becomes available. The likely attack vector is a crafted URL or form input that is reflected unchanged in the page output.

Generated by OpenCVE AI on May 1, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Global Gallery plugin to a patched version that removes the reflected XSS vulnerability.
  • If an immediate update is not possible, uninstall or disable the plugin entirely to eliminate the vulnerability until a fix is released.
  • Implement an application layer firewall or security plugin that filters or sanitizes user input and blocks reflected XSS payloads, following OWASP XSS prevention guidelines.
  • Perform output encoding on any remaining unsanitized data in the plugin’s templates to ensure that JavaScript cannot be executed from user-supplied content.

Generated by OpenCVE AI on May 1, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11131 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery allows Reflected XSS. This issue affects Global Gallery: from n/a through 8.8.0.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery global-gallery allows Reflected XSS.This issue affects Global Gallery: from n/a through <= 8.8.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery allows Reflected XSS. This issue affects Global Gallery: from n/a through 8.8.0.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery allows Reflected XSS. This issue affects Global Gallery: from n/a through 8.8.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery global-gallery allows Reflected XSS.This issue affects Global Gallery: from n/a through <= 8.8.0.
References

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery allows Reflected XSS. This issue affects Global Gallery: from n/a through 8.8.0.
Title WordPress Global Gallery plugin <= 8.8.0 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.738Z

Reserved: 2025-01-02T12:02:05.150Z

Link: CVE-2025-22263

cve-icon Vulnrichment

Updated: 2025-04-16T14:58:25.779Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:15.590

Modified: 2026-04-28T19:28:11.017

Link: CVE-2025-22263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses